F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP TMOS: Tunneling and IPsec
  3. Common Elements for IPsec security association tasks
Manual Chapter : Common Elements for IPsec security association tasks

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Common Elements for IPsec security association tasks

Before starting this task, determine the source and destination IP addresses for the BIG-IP systems in your network that will direct the application traffic.
You create a manual security association to specify the security attributes for a given IPsec communication session. These attributes include the specific source and destination IP addresses of the communicating devices, the authentication algorithm, and the encryption algorithm that the IPsec protocol should use.
You must perform this task on both BIG-IP systems.
  1. On the Main tab, click
    Network
    IPsec
    Manual Security Associations
    .
  2. Click the
    Create
     button.
    The New Security Association screen opens.
  3. In the
    Name
     field, type a unique name for the security association.
  4. In the
    Description
     field, type a brief description of the security setting.
  5. In the
    SPI
     field, type a unique number for the security parameter index.
    This number must be an integer between 256 and 4294967296.
  6. From the
    IPsec Protocol
     list, select a protocol.
    You can select
    AH
    ,
    Bundle
    , or
    ESP
    .
  7. In the
    Source Address
     field, type the source IP address.
    This IP address must match the IP address specified for the
    Tunnel Local Address
     in the selected IPsec policy.
  8. In the
    Destination Address
     field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
     or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
     or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
     prefix.
    This IP address must match the IP address specified for the
    Tunnel Remote Address
     in the selected IPsec policy.
  9. From the
    Authentication Algorithm
     list, select an algorithm.
    You can select
    HMAC MD5
     or
    HMAC SHA-1
    .
  10. From the
    Encryption Algorithm
     list, select the algorithm appropriate to your deployment.
  11. In the
    Authentication Key
     field, type a key value.
    This value can by any double-quoted character string up to a maximum of 128 characters
  12. In the
    Encryption Key
     field, type a key value.
    This value can by any double-quoted character string up to a maximum of 128 characters
  13. For the
    IPsec Policy Name
     setting, retain the default selection,
    default_ipsec_policy
    .
  14. From the
    IPsec Policy Name
     list, select an IPsec policy.
    • For the outbound security association, select the IPsec policy you created for outbound traffic.
    • For the inbound security association, select the IPsec policy you created for inbound traffic.
  15. For the
    IPsec Policy Name
     setting, select the IPsec policy you previously created for inbound traffic.
  16. For the
    IPsec Policy Name
     setting, select the IPsec policy you previously created for outbound traffic.
  17. Click
    Finished
    .
    The screen refreshes and displays the new IPsec security association in the list.
  18. Repeat this task on the BIG-IP system in the remote location.
  19. Repeat this task for security associations that handle outbound and inbound traffic on both the local and remote BIG-IP systems.
You now have an IPsec security association that you have assigned to an IPsec policy.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information